Getting Data In

[RESOLVED] Forwarder stops at midnight on Windows 2012R2 DHCP server log

Communicator

I have Splunk Universal Forwarders on 4 Windows 2012R2 servers, monitoring the DHCP server logs with this stanza:

[monitor://Z:\dhcp\logs]
disabled = 0
sourcetype = DhcpSrvLog
whitelist = DhcpSrvLog*
crcSalt = <SOURCE>
initCrcLength = 2000

That works when I started the forwarder. But I found that the forwarder stopped sending new logs to my indexers at midnight sharp, which I don't know if it has something to do with the fact that the log for today has a timestamp of midnight yesterday:

Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          2/4/2015  12:00 AM  146695986 DhcpSrvLog-Tue.log
-a---          2/4/2015  12:00 AM  138881102 DhcpSrvLog-Wed.log

At that point, I added an "alwaysOpenFile = 1" item in the stanza to see if that solves the problem. But I came in this morning to find that it had changed nothing whatsoever.

Soooo, what else can I do to handle this Microsoft beast?

[Edit]: Not sure if (or how) this could be a factor: The folder in the monitor stanza "Z:/dhcp/logs" is a Windows symbolic link to a folder "E:/dhcp/logs_<HOSTNAME>" -- those forward slashes (/) are replacement of back slashes in Windows, of course.

0 Karma
1 Solution

Communicator

Well, my monitor stanza actually did work.

I guess I wasn't patient enough after I put in "alwaysOpenFile = 1", which I believe is what made Splunk deal with the log file rotation correctly, in combination with "initCrcLength = 2000".

I don't believe that "*crcSalt = *" is needed in this case but I am not going to change the stanza at this point as that does no harm either.

View solution in original post

0 Karma

Communicator

Well, my monitor stanza actually did work.

I guess I wasn't patient enough after I put in "alwaysOpenFile = 1", which I believe is what made Splunk deal with the log file rotation correctly, in combination with "initCrcLength = 2000".

I don't believe that "*crcSalt = *" is needed in this case but I am not going to change the stanza at this point as that does no harm either.

View solution in original post

0 Karma